From owner-freebsd-hackers  Sat Jun 29 15:53:52 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 57BDD37B400
	for <freebsd-hackers@freebsd.org>; Sat, 29 Jun 2002 15:53:49 -0700 (PDT)
Received: from mail.npubs.com (npubs.com [207.111.208.224])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F2DAD43E06
	for <freebsd-hackers@freebsd.org>; Sat, 29 Jun 2002 15:53:48 -0700 (PDT)
	(envelope-from nielsen@memberwebs.com)
Received: 8.12.2-(Neptune)
From: "Nielsen" <nielsen@memberwebs.com>
To: "Terry Lambert" <tlambert2@mindspring.com>,
	"Joao Carlos" <jcrr@ieee.org>
Cc: "Luigi Rizzo" <rizzo@icir.org>, "Ken Ebling" <kebling@us-it.net>,
	<freebsd-hackers@freebsd.org>
References: <000801c21f1c$029cefe0$0201a8c0@Ken> <3D1D4EB3.9410011@mindspring.com> <20020629170251.65DDB43E13@mx1.FreeBSD.org> <20020629110237.A73787@iguana.icir.org> <001f01c21f99$3c363cc0$1e6eb0c8@pchome> <3D1E2B38.A70658EA@mindspring.com>
Subject: Re: ipfw/dummynet suggestion
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20020629225348.F2DAD43E06@mx1.FreeBSD.org>
Date: Sat, 29 Jun 2002 15:53:48 -0700 (PDT)
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

> Seriously, I'm wondering what "security restrictions" are so
> onerous that users are willing to change their IP addresses to
> get around them, and why they are there in the first place?

Well in certain cases it's company policy that certain machines (ie: users)
can't browse the web during certain hours. I didn't make the rules, just
asked to implement them.

> Finally, I'll suggest that if you truly want to implement this
> thing, that the "correct" way to do it is probably to use the
> per machine NT Domain Controller information via hacking up the
> code from the SAMBA project, so that you can *ask* the NT domain
> controller for the credentials associated with an IP address,
> since this access control model is why NT Domaons were designed.

True, but often the simplest, semi-reliable solution wins out, so it came
down to machines and MAC addresses.

Nate




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message